https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified
--- Comment #19 from Owen Taylor <[email protected]> 2010-10-29 21:36:16 UTC --- (In reply to comment #18) > > Basically if you have commit access to l10n.gnome.org you can make the > > account > > do whatever you want, so I don't think locking down the key too hard has a > > point. Readable-as-web-service-user seems about as good as we can easily do. > > Ok so the question is do we wand d-l to run the equivalent of git push > directly > to git.gnome.org? It does open things up a bit more, but in the worst possible > case, someone reverts the commits and it is only language files. You seem to > be > of the opinion that it is ok to give users enough rope to hang themselves. I'm > still working out the details of how things in gnome-land work :) Yes, you get some extra security if: A) You run the git push as a different user so the gnomeweb user can't read the ssh key B) You run the git push with a fixed set of options, so exploiting holes in our setup with tricky git push options is harder But on the other hand automated commits to git seem hard enough to do without an extra layer. You can't just do something like cron/fishpoll something like: ( cd $gnomeweb/checkouts/some_directory && git push ) Because hooks in some_directory will run and you might as well have run the git push as the original user. So you'd need to figure out how to disable git hooks when running the push command. (And also worry about what affect git push options in .git/config have on the push.) If possible at all, then the solution might not be too bad, but I don't think it's that important and worth blocking getting something working on. The essential layers of security here are: - The security of the web app - The security of restricting commits to be to .po files in the po/ directory (shouldn't be able to commit to po/Makefile.*) -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the QA contact of the bug. You are watching the assignee of the bug. _______________________________________________ gnome-infrastructure mailing list [email protected] http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
